This page captures important references to [http://www.owasp.org/index.php/Main_Page OWASP] in official, or otherwise important, documents. It does not include presentational or educational materials, sales literature, forum messages, blog postings, news stories or press releases.

+

<div style="font-size:7pt;text-align:right">

+

<div align="right"> <owaspbanner/><br>

+

<b>Disclaimer: Banner ads are not endorsements and reflect the messages of the advertiser only. | [https://www.owasp.org/index.php/Advertising More Information]</b></div></div>

−

Hyperlinks have not been added within the text, other than those automatically added by the wiki, to reduce the risk of mis-interpretation. Please read the source documents in full to understand the context. Entries in each each category are ordered by organisation name ascending, then date ascending.

+

__TOC__

−

__TOC__

+

This page captures important references to [http://www.owasp.org/index.php/Main_Page OWASP] in official, or otherwise important, documents. It does not include presentational or educational materials, sales literature, forum messages, blog postings, news stories or press releases.

+

Hyperlinks have not been added within the text, other than those automatically added by the wiki, to reduce the risk of mis-interpretation. Please read the source documents in full to understand the context. Entries in each each category are ordered by organisation name ascending, then date ascending.

−

=== OWASP Projects ===

−

Some OWASP projects maintain their own lists of citations, quotations, recommendations, testimonials and users:

*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#Users_and_Adopters OWASP Top Ten Project - Users and Adopters] and [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=How_Are_Companies.2FProjects.2FVendors_Using_the_OWASP_Top_10.3F How Are Companies/Projects/Vendors Using the OWASP Top_10]

| In "3.2 Application security best practices", "... The following elements should be considered as part of the SDLC for application security: ... Adopt and apply secure design and coding practices for web application software development. Guidance is available from numerous sources including ... and the Open Web Application Security Project (OWASP) http://www.owasp.org." and in "5 Resources", "Open Web Application Security Project (OWASP): http://www.owasp.org ... OWASP Testing Guide v2: http://www.owasp.org/images/e/e0/OWASP_Testing_Guide_v2_pdf.zip".

| In "3.2 Application security best practices", "... The following elements should be considered as part of the SDLC for application security: ... Adopt and apply secure design and coding practices for web application software development. Guidance is available from numerous sources including ... and the Open Web Application Security Project (OWASP) http://www.owasp.org." and in "5 Resources", "Open Web Application Security Project (OWASP): http://www.owasp.org ... OWASP Testing Guide v2: http://www.owasp.org/images/e/e0/OWASP_Testing_Guide_v2_pdf.zip".

+

The Canadian Cyber Incident Response Centre is part of [http://www.publicsafety.gc.ca Public Safety Canada].

−

The Canadian Cyber Incident Response Centre is part of [http://www.publicsafety.gc.ca Public Safety Canada].

| In "Introduction", "... For Web Application security issues, visit the Open Web Application Security Project (OWASP) website - http://www.owasp.org and ...", in "L1 20 Implementing Secure Socket Layer (SSL) with Mod_SSL", "The openssl command can be very useful in debugging and testing the SSL configurations. See http://www.openssl.org/docs/apps/ciphers.html as well as OWASP testing tips http://www.owasp.org/index.php/SSL/TLS_Testing:_support_of_weak_ciphers" and in "Appendix C - References", "The Open Web Application Security Project. 'A Guide To Building Secure Web Applications', September 22, 2002. http://www.cgisecurity.com/owasp/html/index.html".

| In "Introduction", "... For Web Application security issues, visit the Open Web Application Security Project (OWASP) website - http://www.owasp.org and ...", in "L1 20 Implementing Secure Socket Layer (SSL) with Mod_SSL", "The openssl command can be very useful in debugging and testing the SSL configurations. See http://www.openssl.org/docs/apps/ciphers.html as well as OWASP testing tips http://www.owasp.org/index.php/SSL/TLS_Testing:_support_of_weak_ciphers" and in "Appendix C - References", "The Open Web Application Security Project. 'A Guide To Building Secure Web Applications', September 22, 2002. http://www.cgisecurity.com/owasp/html/index.html".

| In "Section III. Operating in the Cloud - Domain 10: Incident Response, Notification, and Remediation", "There are other types of incidents that can affect an application in the cloud, which relate to data access, but stand alone as potentially serious for a user, and they are the OWASP Top 10 security vulnerabilities." and "The application framework can also provide components that provide protection against OWASP vulnerabilities.", and in "Domain 11: Application Security", "References... OWASP Top Ten Project, http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project".

| In "Methodologies", "There are a number of open source penetration testing methodologies that can be used as a reference when examining provider methodologies. Examples include... OWASP - Open Web Application Security Project ([http://www.owasp.org http://www.owasp.org])".

+

Originally published by the former National Infrastructure Security Co-ordination Centre (NISCC).

+

|- valign="top"

+

| [http://www.cpni.gov.uk/Documents/Publications/2011/2011Aug-development_and_implementation_of_secure_web%20applications.pdf Development and Implementation of Secure Web Applications]

| In "Introduction to web application security", "Organisations such as the Open Web Application Security Project (OWASP) have expanded and have been involved in a large number of projects to promote many different aspects of web application security from risk assessment guides to security testing tools. One of these projects, OWASP Top Ten aims to provide a list of the most critical web application security risks. It is not surprising that such a list evolves dramatically over time as shown in the table below" and in "References", "OWASP Top Ten http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project", "Threat Risk Modelling http://www.owasp.org/index.php/Threat_Risk_Modeling", "HTTP Parameter Pollution www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf", "Transport Layer Protection Cheat Sheet http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet" and "Curphy, Mark et al, A Guide to Building Secure Web Applications and Web Services, OWASP, 2005 http://www.owasp.org/index.php/Category:OWASP_Guide_Project".

| In "Section III. Operating in the Cloud - Domain 10: Incident Response, Notification, and Remediation", "There are other types of incidents that can affect an application in the cloud, which relate to data access, but stand alone as potentially serious for a user, and they are the OWASP Top 10 security vulnerabilities." and "The application framework can also provide components that provide protection against OWASP vulnerabilities.", and in "Domain 11: Application Security", "References... OWASP Top Ten Project, http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project".

| In "PaaS - Tools and Services", "Web-based, n-Tier applications have a rich body of knowledge about common types of vulnerabilities and their mitigation through groups such as the Open Web Application Security Project (OWASP), but similar knowledge bases for PaaS environments are scarce and will need time to mature." and in "References" "OWASP Top Ten Project, http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project".

+

|- valign="top"

+

| [http://www.clusif.fr/en/clusif/present/ Club de la Sécurité de l'Information Français (CLUSIF)]

''Translation: In "II - Web technologies, essential, but carrying new risks - II.3 - Regulations and responsibilities", "Consequently, the provision of an application service by a company may engage the responsibility [4] ... [4] https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex OWASP Secure Software Contract Annex&nbsp;: This appendix of contract is intended to help the developers of software and their customers to negotiate important contractual conditions relating to the integrity of the software to be developed or deliver. The reason is that nothing is envisaged in most contracts, the parties having often radically different points of view on what was initially indeed agreed. In fact, the clear definition of the responsibilities and limits for each one are the best way of ensuring itself than the parts can make decisions informed on the way of proceeding.", in "IV - The main vulnerabilities of Web applications - IV.3 - The information leakage", "For more details on the vulnerabilities of Web applications, the reader may refer to the Top Ten of the OWASP [6] ... [6] http://www.owasp.org/index.php/OWASP_Top_Ten_Project", in "V - Which good practices for implementing a secure Web application? - V.2 - Identification of needs and risk assessment", "A first costing can be realized at this stage in order to remain coherent with the objectives of the control of work, by using a methodology like OpenSAMM, which makes it possible to estimate costs for the various stages of the development cycle [7] ... [7] http://www.opensamm.org/" and "Methods and modeling tools available threats exist to facilitate this. [8] ... [8] http://www.owasp.org/index.php/Threat_Risk_Modeling", in "V.3 - Design and Implementation", "The teams can also refer to the OWASP Guide to Build and Implement Secure Web Applications [9] ... [9] http://www.owasp.org/index.php/Category:OWASP_Guide_Project", in "VI - Web Application Security checking - VI.2.2 - Code Review", "The OWASP published a Web Applications' code review' handbook [10] ... [10] http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project", in "VI.2.3 - PenTest", "For more information, one can consult the Web Applications Security test' handbook published by the OWASP [11] ... [11] http://www.owasp.org/index.php/Category:OWASP_Testing_Project".''

| OWASP referenced in "APP3020 Threat model not established or updated... Detailed information on threat modeling can be found at the OWASP website. http://www.owasp.org/index.php/Threat_Risk_Modeling", "APP3550 Application is vulnerable to integer overflows... Examples of Integer Overflow vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Integer_overflow", "APP3560 Application contains format string vulnerabilities... Examples of Format String vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Format_string_problem", "APP3570 Application vulnerable to Command Injection... Examples of Command Injection vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Command_Injection", "APP3580 Application vulnerable to Cross Site Scripting... Examples of Cross Site Scripting vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Cross_Site_Scripting", "APP3600 Vulnerable to canonical representation attacks... Examples of Canonical Representation vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode", "APP3630 Application vulnerable to race conditions... Examples of Race Conditions vulnerabilities can be obtained from the OWASP website. https://www.owasp.org/index.php/Reviewing_Code_for_Race_Conditions", and "APP5100 Fuzz testing is not performed... The following website provides an overview of fuzz testing and examples: http://www.owasp.org/index.php/Fuzzing".

| OWASP referenced in "APP3020 Threat model not established or updated... Detailed information on threat modeling can be found at the OWASP website. http://www.owasp.org/index.php/Threat_Risk_Modeling", "APP3550 Application is vulnerable to integer overflows... Examples of Integer Overflow vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Integer_overflow", "APP3560 Application contains format string vulnerabilities... Examples of Format String vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Format_string_problem", "APP3570 Application vulnerable to Command Injection... Examples of Command Injection vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Command_Injection", "APP3580 Application vulnerable to Cross Site Scripting... Examples of Cross Site Scripting vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Cross_Site_Scripting", "APP3600 Vulnerable to canonical representation attacks... Examples of Canonical Representation vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode", "APP3630 Application vulnerable to race conditions... Examples of Race Conditions vulnerabilities can be obtained from the OWASP website. https://www.owasp.org/index.php/Reviewing_Code_for_Race_Conditions", and "APP5100 Fuzz testing is not performed... The following website provides an overview of fuzz testing and examples: http://www.owasp.org/index.php/Fuzzing".

| In "Web applications - Guidance", "G#101 3.6.2.14. Agencies are recommended to follow the documentation provided in the Open Web Application Security Project (OWASP) guide to building secure Web applications and Web services.", in "Web applications - Rationale", "Web applications 3.6.2.16. The OWASP guide provides a comprehensive resource to consult when developing Web applications." and in "Web applications - References", "3.6.2.17. Further information on Web application security is available from the OWASP at http://www.owasp.org.".

| In "Web applications - Guidance", "G#101 3.6.2.14. Agencies are recommended to follow the documentation provided in the Open Web Application Security Project (OWASP) guide to building secure Web applications and Web services.", in "Web applications - Rationale", "Web applications 3.6.2.16. The OWASP guide provides a comprehensive resource to consult when developing Web applications." and in "Web applications - References", "3.6.2.17. Further information on Web application security is available from the OWASP at http://www.owasp.org.".

| [http://www.cio.gov/Library/documents_details.cfm?id=Guidelines%20for%20Secure%20Use%20of%20Social%20Media%20by%20Federal%20Departments%20and%20Agencies,%20v1.0&structure=Information%20Technology&category=Best%20Practices Guidelines for Secure Use of Social Media by Federal Departments and Agencies]

+

Agencies should follow the documentation provided in the Open Web Application Security Project guides to building secure web applications and web services." and in "Software Security - Web application Development - References", "Further information on web application security is available from the Open Web Application Security Project at https://www.owasp.org/index.php/Main_Page."

| In '6.1.6 Developer Issues/Browser Vendors', 'There already exists quite a large body of development best-practice and descriptions of common pitfalls so, rather than re-inventing the wheel, we would refer the reader to the following as examples: The OWASP Guide to Building Secure Web Applications (84), ...', in '5.5.1 Fraudulent Pedigree/Provenance - 5.5.1.2 Example 2: Control of Botnets via Mashups', 'Mashups are perfectly suited to massively distributed systems with untraceable control structures and are therefore likely to lead to a variety of related attacks (see Use of Web 2.0 technologies to control botnets (38) and ...' and in '8 References and Links', '38. Use of Web 2.0 technologies to control botnets. http://www.owasp.org/images/0/02/OWASP_Day_Belgium_2007-pdp.ppt ' and '84. The OWASP Guide to Building Secure Web Applications v2. http://www.owasp.org/index.php/Category:OWASP_Guide_Project '.

| [http://www.cio.gov/Library/documents_details.cfm?id=Guidelines%20for%20Secure%20Use%20of%20Social%20Media%20by%20Federal%20Departments%20and%20Agencies,%20v1.0&structure=Information%20Technology&category=Best%20Practices Guidelines for Secure Use of Social Media by Federal Departments and Agencies]

+

| September 2009

+

| 1.0

+

| In "The Threat - Web Application Attacks", "The Open Web Application Security Project (OWASP) has published

| In "3.2 SQL Injection", "The OWASP Foundation has produced two tools that can be used to learn about and analyse attacks. The WebGoat application has been developed to demonstrate web application security errors, including SQL injection, and educate developers in how to avoid them. A web proxy, such as OWASP’s WebScarab, is needed to complete some of the WebGoat activities. Such a proxy is used to intercept communications between the browser and application, providing a means of changing the data in each message. Where appropriate examples have been taken (with permission) from the WebGoat application and WebScarab proxy output.", extensive use of screen captures from WebGoat and WebScarab, in "6.4 Education", "The key contributors in SQL injection protection are usually the application and web developers and system administrators... There are free resources on the Internet to encourage a better awareness of SQL injection techniques and guides on how to avoid it. Two examples of such free resources are OWASP Foundation’s WebGoat and ...", in "7 Acknowledgements", "Thanks to the OWASP Foundation’s WebGoat Project and WebScarab Project for their permission to use examples from these tools in this paper. They are published under the Creative Commons Licence" and in "8 References", "[i] OWASP WebGoat Project, OWASP Foundation, 15 January 2009, [http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project] [j] OWASP WebScarab Project, OWASP Foundation, 17 November 2008, [http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project]".

| In "Security Check - I'm not really a “tech” type. Are there steps our computer people can take to protect our system from common hack attacks?", "Yes. There are relatively simple fixes to protect your computers from some of the most common vulnerabilities.... Bookmark the websites of groups like the Open Web Application Security Project, www.owasp.org, or ..." and in "Additional Resources - These websites and publications have more information on securing sensitive data:", "The Open Web Application Security Project www.owasp.org".

+

Also available in Spanish [http://business.ftc.gov/documents/sbus69-como-proteger-la-informacion-personal-una-gui-para-negocios En español].

−

GovCertUK is the UK Government Emergency Response Team and is part of [http://www.cesg.gov.uk/ CESG].

| In "Chapter 4: Coding Practices", "Several secure coding practices processes are available in the marketplace (e.g., OWASP Secure Coding Practices Guide, ...", in "Chapter 8: Post Implementation Phase Controls", "All of these controls today are based on either OWASP Top 10 or SANS Top 25 Application Programming Errors." and four places in "Appendix A - Education & Training".

| In "3.2 SQL Injection", "The OWASP Foundation has produced two tools that can be used to learn about and analyse attacks. The WebGoat application has been developed to demonstrate web application security errors, including SQL injection, and educate developers in how to avoid them. A web proxy, such as OWASP’s WebScarab, is needed to complete some of the WebGoat activities. Such a proxy is used to intercept communications between the browser and application, providing a means of changing the data in each message. Where appropriate examples have been taken (with permission) from the WebGoat application and WebScarab proxy output.", extensive use of screen captures from WebGoat and WebScarab, in "6.4 Education", "The key contributors in SQL injection protection are usually the application and web developers and system administrators... There are free resources on the Internet to encourage a better awareness of SQL injection techniques and guides on how to avoid it. Two examples of such free resources are OWASP Foundation’s WebGoat and ...", in "7 Acknowledgements", "Thanks to the OWASP Foundation’s WebGoat Project and WebScarab Project for their permission to use examples from these tools in this paper. They are published under the Creative Commons Licence" and in "8 References", "[i] OWASP WebGoat Project, OWASP Foundation, 15 January 2009, [http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project] [j] OWASP WebScarab Project, OWASP Foundation, 17 November 2008, [http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project]".

+

GovCertUK is the UK Government Emergency Response Team and is part of [http://www.cesg.gov.uk/ CESG].

| In "9 Software Engineering Process", "Life cycle processes and more localized methods, practices, and techniques have been developed to aid with software security concerns. Published life cycle processes (or increments from life cycle processes that are not security-oriented) include ones from Microsoft [How06] and at OWASP (www.owasp.org)." and in "15 Appendix A: Further Reading", "[OWASP] Open Web Application Security Project www.owasp.org (website).".

| In "Resources for Procurement, Acquisition and Outsourcing", "Open web Application Security project (OWASP) Contract Annex - The OWASP provides a sample contract Annex that can be used as a framework for discussing expectations and negotiating responsibilities between acquirers (clients) and developers. The contract Annex is intended to help software developers and their clients negotiate and capture important contractual terms and conditions related to the security of the software to be developed or delivered. The language in the Annex may be used whole, in part, or as tailored to communication requirements in a work statement or stated as terms and conditions. The Annex can be obtained from: http://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex" and "Application Security Procurement Language - Application Security Procurement Language ... These guidelines incorporate substantial language from the OWASP Secure Software Contract Annex. These help enable buyers of custom software to more explicitly make code writers responsible for checking the code and for fixing security flaws before software is delivered."

| In "Resources, "“OWASP Testing Guide v3”, The Open Web Application Security Project at http://www.owasp.org/index.php/Category:OWASP_Testing_Project#OWASP_Testing_Guide_v3_2". In "Risk Analysis", "The OWASP Code Review Guide Uhttp://www.owasp.org/index.php/Application_Threat_ModelingU outlines a methodology that can be used as a reference for the testing for potential security flaws."

| In "Requirements Elicitation - Misuse/Abuse Cases", "The OWASP CLASP process recommends describing misuse cases as follows...". In "Requirements Elicitation - Threat Modeling", "The OWASP Review Guide at http://www.owasp.org/index.php/Application_Threat_Modeling outlines a methodology that can be used as a reference for the testing for potential security flaws.". In "Processes", "The Comprehensive, Lightweight Application Security Process (CLASP), sponsored by the Open Web Application Security Project (OWASP), is designed to help software development teams build security into the early stages of existing and new-start software development life cycles in a structured, repeatable, and measurable way..." and "CLASP Best Practice 3: Capture Security Requirements at http://www.owasp.org/index.php/Category:BP3_Capture_security_requirements.". In "Documenting Security Requirements", "The OWASP CLASP document recommends a resource-centric approach to deriving requirements" and "OWASP CLASP v1.2 at

| In "Methodologies", "There are a number of open source penetration testing methodologies that can be used as a reference when examining provider methodologies. Examples include... OWASP - Open Web Application Security Project ([http://www.owasp.org http://www.owasp.org])".

+

| 1.0

+

| In "Task 2. Performance of a risk assessment", "The initial draft list of vulnerability classes was developed using information from several existing documents and Web sites, .... the Open Web Application Security Project (OWASP) vulnerabilities list." and in "8 List of Acronyms", "OWASP Open Web Application Security Project".

+

See also NIST IR 7628 below.

−

NISCC is now part of the UK [http://www.cpni.gov.uk/ Centre for the Protection of National Infrastructure].

| in "Task 2. Performance of a risk assessment - Vulnerability classes", "The initial list of vulnerability classes was developed using information from several existing documents and Web sites, e.g., ... the Open Web Application Security Project (OWASP) vulnerabilities list.".

−

| In "1.4.2 Performance of a risk assessment of the Smart Grid, including assessing vulnerabilities, threats and impacts.", "The initial draft list of vulnerability classes was developed using information from several existing documents and websites, e.g., NIST SP 800-82 and the Open Web Application Security Project (OWASP) vulnerabilities list.", in "Appendix C - NIST CSCTG Vulnerability Classes", "As input to the classification process, we used many sources of vulnerability information, including NIST 800-82 and 800-53, OWASP vulnerabilities, CWE vulnerabilities, attack documentation from INL, input provided by the NIST CSCTG Bottoms-Up group, and the NERC CIP standards.", in "C.3.1.1. Code Quality Vulnerability", "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways (OWASP page)", in "C.3.1.2. Arbitrary code execution Authentication Vulnerability", "Examples... Enrollment attacks (OWASP page Comprehensive list of Threats to Authentication Procedures and Data)", in "C.3.1.5. Environmental Vulnerability", "This category includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms. (OWASP page)", in "C.3.1.11. Path Vulnerability", "This category is for tagging path issues that allow attackers to access files that are not intended to be accessed. Generally, this is due to dynamically construction of a file path using unvalidated user input (OWASP page).", in "C.3.1.14. Sensitive Data Protection Vulnerability", "Please note that this category is intended to be different from access control problems, although they both fail to protect data appropriately. Normally, the goal of access control is to grant data access to some users but not others. In this category, we are instead concerned about protection for sensitive data that are not intended to be revealed to or modified by any application users. Examples of this kind of sensitive data can be cryptographic keys, passwords, security tokens or any information that an application relies on for critical decisions (OWASP page).", in "C.4.1.1. API Abuse", "An API is a contract between a caller and a callee. The most common forms of API abuse are

+

−

caused by the caller failing to honor its end of this contract (OWASP page)" and "For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated (OWASP page)." and in "References", "Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Category:Vulnerability".

| In "Chapter 6 Vulnerability Classes - 6.1 Introudction", "... while it was created from many sources of vulnerability information, including... Open Web Application Security Project (OWASP) vulnerabilities", in ""Chapter 6 Vulnerability Classes - 6.3 Platform Software/Firmware Vulnerabilities", "The Common Weakness Enumeration ... and the Vulnerability Categories defined by OWASP ...are two taxonomies which provide descriptions of common errors or oversights that can result in vulnerability instances. Using the CWE and OWASP taxonomies as a guide this subsection describes classes and subclasses of vulnerabilities in platform software and firmware." and "The OWASP names are generally used with the exact or closest CWE-ID(s) match in parentheses", in "6.3.1.1 Code Quality Vulnerability (CWE-398)", "“Poor code quality,” states OWASP, “leads to unpredictable behavior. From a user’s perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.”", in "6.3.1.4 Cryptographic Vulnerability (CWE-310) - Examples", "Testing for SSL-TLS (OWASP-CM-001) (CWE-326)", in "6.3.1.5 Environmental Vulnerability (CWE-2)", "“This category,” states OWASP, “includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.”", in "6.3.1.12 Path Vulnerability (CWE-21)", "“This category [Path Vulnerability],” states OWASP, “is for tagging path issues that allow attackers to access files that are not intended to be accessed. Generally, this is due to dynamically construction of a file path using unvalidated user input.”", in "6.3.1.15 Sensitive Data Protection Vulnerability (CWE-199)", "OWASP describes the sensitive data protection vulnerability as follows..." and "Inappropriate protection of cryptographic keys http://www.owasp.org/index.php/Top_10_2007-Insecure_Cryptographic_Storage", in "6.3.1.23 4.2.1. API Abuse (CWE-227)", "OWASP describes the API abuse vulnerability as follows..." and in "6.6 References", "Open Web Application Security Project, April 2010, http://www.owasp.org/index.php/Category:Vulnerability" and "Open Web Application Security Project, " Testing for business logic (OWASP-BL-001)",August 2010, http://www.owasp.org/index.php/Testing_for_business_logic_%28OWASP-BL-001%29".

| "... One well-respected industry source is the Open Web Application Security Project (OWASP), an open community dedicated to application security. OWASP's extensive library and collection of tools is freely available at http://www.owasp.org. A great place to start is the OWASP Top Ten Project (http://www.owasp.org/index.php/OWASP_Top_Ten_Project). The OWASP document provides a list of critical web application security flaws and detailed suggestions for remediation. See inset box for a brief summary" and "... The Open Web Application Security Project (OWASP), an open community dedicated to application security, has developed a list of the top ten web application vulnerabilities. This list serves to educate managers, developers, and administrators to these most common vulnerabilities in the hopes of improving security. The list is summarized below...".

| "... One well-respected industry source is the Open Web Application Security Project (OWASP), an open community dedicated to application security. OWASP's extensive library and collection of tools is freely available at http://www.owasp.org. A great place to start is the OWASP Top Ten Project (http://www.owasp.org/index.php/OWASP_Top_Ten_Project). The OWASP document provides a list of critical web application security flaws and detailed suggestions for remediation. See inset box for a brief summary" and "... The Open Web Application Security Project (OWASP), an open community dedicated to application security, has developed a list of the top ten web application vulnerabilities. This list serves to educate managers, developers, and administrators to these most common vulnerabilities in the hopes of improving security. The list is summarized below...".

| In "What can an Application Programmer do?", "A well-respected source of information on web application security, to include SQL injection issues, is the Open Web Application Security Project (OWASP). At a minimum, implement the following OWASP recommendations: ..." and in "Detecting SQL Injection Vulnerabilities and Attacks", "... Information on how to go about testing for SQL injection vulnerabilities can be found on the OWASP website at http://www.owasp.org/index.php/Testing_for_SQL_Injection.".

+

| In "What can an Application Programmer do?", "A well-respected source of information on web application security, to include SQL injection issues, is the Open Web Application Security Project (OWASP). At a minimum, implement the following OWASP recommendations: ..." and in "Detecting SQL Injection Vulnerabilities and Attacks", "... Information on how to go about testing for SQL injection vulnerabilities can be found on the OWASP website at http://www.owasp.org/index.php/Testing_for_SQL_Injection.".

+

This is one of a series of [http://www.nsa.gov/ia/guidance/security_configuration_guides/fact_sheets.shtml fact sheets] from the NSA - see also SOA/Web Services below.

−

This is one of a series of [http://www.nsa.gov/ia/guidance/security_configuration_guides/fact_sheets.shtml fact sheets] from the NSA - see also SOA/Web Services below.

| In "Milestone 3: Protect Your Network (Network Architecture) - Consider", "... Do you have custom applications facing the Internet? If so, are they protected and/or are your developers trained in writing secure code? – For guidance on writing secure Web applications, see http://www.owasp.org/index.php/Category:OWASP_Guide_Project – For guidance on testing Web applications, see http://www.owasp.org/index.php/Category:OWASP_Testing_Project ..." and listed again in the "Quick Reference".

| In "Milestone 3: Protect Your Network (Network Architecture) - Consider", "... Do you have custom applications facing the Internet? If so, are they protected and/or are your developers trained in writing secure code? – For guidance on writing secure Web applications, see http://www.owasp.org/index.php/Category:OWASP_Guide_Project – For guidance on testing Web applications, see http://www.owasp.org/index.php/Category:OWASP_Testing_Project ..." and listed again in the "Quick Reference".

| In Requirement 6: Develop and maintain secure systems and applications, "6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines...".

| In Requirement 6: Develop and maintain secure systems and applications, "6.3.7 Review of custom code..." mention in "6.3.7b ...Code reviews ensure code is developed according to secure coding guidelines such as the Open Web Security Project Guide...". And "6.5 Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes, to include the following: Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current in the OWASP guide when PCI DSS v1.2 was published. However, if and when the OWASP guide is updated, the current version must be used for these requirements." and specifically "6.5.a Obtain and review software development processes for any web-based applications. Verify that processes require training in secure coding techniques for developers, and are based on guidance such as the OWASP guide ([http://www.owasp.org http://www.owasp.org]).".

| [http://www.safecode.org/publications/SAFECode_Dev_Practices1108.pdf Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today].

+

| October 2008

−

| 8 October 2008

+

| 1.2

+

| In "Requirement 6: Develop and maintain secure systems and applications - 6.3.7 Review of custom code..." mention in "6.3.7b ...Code reviews ensure code is developed according to secure coding guidelines such as the Open Web Security Project Guide...". And "6.5 Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes, to include the following: Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current in the OWASP guide when PCI DSS v1.2 was published. However, if and when the OWASP guide is updated, the current version must be used for these requirements.", specifically "6.5.a Obtain and review software development processes for any web-based applications. Verify that processes require training in secure coding techniques for developers, and are based on guidance such as the OWASP guide ([http://www.owasp.org http://www.owasp.org])." and the OWASP Top Ten 2007 listed as "6.5.1 Cross-site scripting (XSS), 6.5.2 Injection flaws, particularly SQL injection. Also consider LDAP and Xpath injection flaws as well as other injection flaws, 6.5.3 Malicious file execution, 6.5.4 Insecure direct object references, 6.5.5 Cross-site request forgery (CSRF), 6.5.6 Information leakage and improper error handling, 6.5.7 Broken authentication and session management, 6.5.8 Insecure cryptographic storage, 6.5.9 Insecure communications, 6.5.10 Failure to restrict URL access".

| In "Requirement 6: Develop and maintain secure systems and applications - 6.5", "Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes, to include the following: ... The vulnerabilities listed at 6.5.1 through 6.5.9 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements."

| [http://www.safecode.org/publications/SAFECode_Dev_Practices0211.pdf Fundamental Practices for Secure Software Development 2nd Edition: A Guide to the Most Effective Secure Development Practices in Use Today]

| In "Overview" and "Section 2a) Security-focused Stories and Associated Security Tasks", "In addition, the CWE/SANS Top 25 Most Dangerous Development Errors list (plus the 16 weaknesses on the cusp list) and the OWASP Top 10 list were consulted for this section to ensure completeness of coverage.", in "Security-focused story 20", "Utilize common frameworks or libraries (such as OWASP ESAPI) that provide a secure database query functionality, as defined below., in "Security-focused story 28", "Follow best practices (e.g., OWASP Session Management Cheat Sheet) to prevent session management attacks." and "or more complete explanation of issues and test cases, please refer, e.g., to OWASP’s Testing Project, Authentication Cheat Sheet and Session Management Cheat Sheet.", in "Glossary", "OWASP: Open Web Application Security Project is a free, open-to-all community with local chapters worldwide aiming to improve the security of web applications." and in "References", "OWASP Top 10".

| In "Recommendation 2.6: Implement security based on transparent, trusted and proven solutions", "...Best practice information system development and management processes such as: ... Open Web Application Security Project (OWASP)—an open-source project dedicated to finding and fighting the causes of insecure software. The OWASP Guide provides methodology and processes for..." and in the checklist "Trusted and proven information system development processes such as ITIL, OWASP and CIS (see page 44 for a definition)—are used or considered when developing information systems".

| In "Recommendation 2.6: Implement security based on transparent, trusted and proven solutions", "...Best practice information system development and management processes such as: ... Open Web Application Security Project (OWASP)—an open-source project dedicated to finding and fighting the causes of insecure software. The OWASP Guide provides methodology and processes for..." and in the checklist "Trusted and proven information system development processes such as ITIL, OWASP and CIS (see page 44 for a definition)—are used or considered when developing information systems".

| [http://www.aph.gov.au/House/committee/coms/cybercrime/subs/sub30.pdf Submission to House of Representatives Standing Committee on Communications – Inquiry into Cyber Crime]

+

| [http://www.aph.gov.au/House/committee/coms/cybercrime/subs/sub30.pdf Submission to House of Representatives Standing Committee on Communications – Inquiry into Cyber Crime]

−

| 2009

+

| 2009

−

| -

+

| -

| In "Goal to prevent cyber attacks from occurring", "At the national level, implement regulations which require 1. any organisation hosting a commercial web site (as opposed to a web page) to adhere to web application security standards, such as those by OWASP..."

| In "Goal to prevent cyber attacks from occurring", "At the national level, implement regulations which require 1. any organisation hosting a commercial web site (as opposed to a web page) to adhere to web application security standards, such as those by OWASP..."

The National Cyber Security Division is part of the [http://www.dhs.gov/ U.S. Department of Homeland Security].

−

The National Cyber Security Division is part of the [http://www.dhs.gov/ U.S. Department of Homeland Security].

+

|- valign="top"

−

|-valign="top"

+

| [http://www.priv.gc.ca Office of the Privacy Commissioner of Canada]

−

| [http://www.priv.gc.ca Office of the Privacy Commissioner of Canada]

+

| Canada

−

| Canada

+

| [http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc.] (also in [http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_f.cfm French])

−

| [http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc.] (also in [http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_f.cfm French])

+

| 16 July 2009

−

| 16 July 2009

+

| -

−

| -

+

| In the section "Industry Review" of "Summary of Investigation", OWASP mentioned in paragraph 344 "we learned that an organization known as the Open Web Application Security Project (OWASP) promotes the development of secure applications and has created several guidelines addressing issues of session management... OWASP recommends to website creators that sessions should timeout after 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications. Although OWASP has not provided actual definitions for high-, medium-, or low-value data, it does cite ... as examples of high-value data and ... as examples of low-value data." and in paragraph 345 "...our Office's review of how various websites manage sessions indicates that the OWASP guidelines are not widely used in the industry..."

| In the section "Industry Review" of "Summary of Investigation", OWASP mentioned in paragraph 344 "we learned that an organization known as the Open Web Application Security Project (OWASP) promotes the development of secure applications and has created several guidelines addressing issues of session management... OWASP recommends to website creators that sessions should timeout after 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications. Although OWASP has not provided actual definitions for high-, medium-, or low-value data, it does cite ... as examples of high-value data and ... as examples of low-value data." and in paragraph 345 "...our Office's review of how various websites manage sessions indicates that the OWASP guidelines are not widely used in the industry..."

|}

|}

−

=== Project Requirements ===

+

=== Project Requirements ===

−

International, national governmental and other significant specification, invitation to tender (ITT) and request for proposal (RFP) documents.

+

International, national governmental and other significant specification, invitation to tender (ITT) and request for proposal (RFP) documents.

This page captures important references to OWASP in official, or otherwise important, documents. It does not include presentational or educational materials, sales literature, forum messages, blog postings, news stories or press releases.

Hyperlinks have not been added within the text, other than those automatically added by the wiki, to reduce the risk of mis-interpretation. Please read the source documents in full to understand the context. Entries in each each category are ordered by organisation name ascending, then date ascending.

OWASP Projects and Events

Some OWASP projects maintain their own lists of citations, quotations, recommendations, testimonials and users:

In "3.2 Application security best practices", "... The following elements should be considered as part of the SDLC for application security: ... Adopt and apply secure design and coding practices for web application software development. Guidance is available from numerous sources including ... and the Open Web Application Security Project (OWASP) http://www.owasp.org." and in "5 Resources", "Open Web Application Security Project (OWASP): http://www.owasp.org ... OWASP Testing Guide v2: http://www.owasp.org/images/e/e0/OWASP_Testing_Guide_v2_pdf.zip".

In "Pre-configuration Checklist", "Educated developers about writing secure code ... OWASP Top Ten - http://www.owasp.org/index.php/OWASP_Top_Ten_Project", and in "1.3 ModSecurity Core Rules Overview", "... Description ... You can learn more about the pros and cons of a negative security model in the presentation 'The Core Rule Set: Generic detection of application layer', presented at OWASP Europe 2007 ... Attack Detection ... Generic Attack Detection - Detect application level attacks such as described in the OWASP top 10. These rules employ context based patterns match over normalized fields. Detected attacks include:...", and in "1.15 Implementing Mod_SSL", "... Action ... The openssl command can be very useful in debugging and testing the SSL configurations. See http://www.openssl.org/docs/apps/ciphers.html as well as OWASP testing tips http://www.owasp.org/index.php/SSL/TLS_Testing:_support_of_weak_ciphers ...".

In "Methodologies", "There are a number of open source penetration testing methodologies that can be used as a reference when examining provider methodologies. Examples include... OWASP - Open Web Application Security Project (http://www.owasp.org)".

Originally published by the former National Infrastructure Security Co-ordination Centre (NISCC).

In "Section III. Operating in the Cloud - Domain 10: Incident Response, Notification, and Remediation", "There are other types of incidents that can affect an application in the cloud, which relate to data access, but stand alone as potentially serious for a user, and they are the OWASP Top 10 security vulnerabilities." and "The application framework can also provide components that provide protection against OWASP vulnerabilities.", and in "Domain 11: Application Security", "References... OWASP Top Ten Project, http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project".

In "Security Architecture - Application Security (SA-04)", "Applications shall be designed in accordance with industry accepted security standards (i.e., OWASP for web applications) and complies with applicable regulatory and business requirements.".

In "PaaS - Tools and Services", "Web-based, n-Tier applications have a rich body of knowledge about common types of vulnerabilities and their mitigation through groups such as the Open Web Application Security Project (OWASP), but similar knowledge bases for PaaS environments are scarce and will need time to mature." and in "References" "OWASP Top Ten Project, http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project".

Translation: In "II - Web technologies, essential, but carrying new risks - II.3 - Regulations and responsibilities", "Consequently, the provision of an application service by a company may engage the responsibility [4] ... [4] https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex OWASP Secure Software Contract Annex : This appendix of contract is intended to help the developers of software and their customers to negotiate important contractual conditions relating to the integrity of the software to be developed or deliver. The reason is that nothing is envisaged in most contracts, the parties having often radically different points of view on what was initially indeed agreed. In fact, the clear definition of the responsibilities and limits for each one are the best way of ensuring itself than the parts can make decisions informed on the way of proceeding.", in "IV - The main vulnerabilities of Web applications - IV.3 - The information leakage", "For more details on the vulnerabilities of Web applications, the reader may refer to the Top Ten of the OWASP [6] ... [6] http://www.owasp.org/index.php/OWASP_Top_Ten_Project", in "V - Which good practices for implementing a secure Web application? - V.2 - Identification of needs and risk assessment", "A first costing can be realized at this stage in order to remain coherent with the objectives of the control of work, by using a methodology like OpenSAMM, which makes it possible to estimate costs for the various stages of the development cycle [7] ... [7] http://www.opensamm.org/" and "Methods and modeling tools available threats exist to facilitate this. [8] ... [8] http://www.owasp.org/index.php/Threat_Risk_Modeling", in "V.3 - Design and Implementation", "The teams can also refer to the OWASP Guide to Build and Implement Secure Web Applications [9] ... [9] http://www.owasp.org/index.php/Category:OWASP_Guide_Project", in "VI - Web Application Security checking - VI.2.2 - Code Review", "The OWASP published a Web Applications' code review' handbook [10] ... [10] http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project", in "VI.2.3 - PenTest", "For more information, one can consult the Web Applications Security test' handbook published by the OWASP [11] ... [11] http://www.owasp.org/index.php/Category:OWASP_Testing_Project".

In "Web applications - Guidance", "G#101 3.6.2.14. Agencies are recommended to follow the documentation provided in the Open Web Application Security Project (OWASP) guide to building secure Web applications and Web services.", in "Web applications - Rationale", "Web applications 3.6.2.16. The OWASP guide provides a comprehensive resource to consult when developing Web applications." and in "Web applications - References", "3.6.2.17. Further information on Web application security is available from the OWASP at http://www.owasp.org.".

In '6.1.6 Developer Issues/Browser Vendors', 'There already exists quite a large body of development best-practice and descriptions of common pitfalls so, rather than re-inventing the wheel, we would refer the reader to the following as examples: The OWASP Guide to Building Secure Web Applications (84), ...', in '5.5.1 Fraudulent Pedigree/Provenance - 5.5.1.2 Example 2: Control of Botnets via Mashups', 'Mashups are perfectly suited to massively distributed systems with untraceable control structures and are therefore likely to lead to a variety of related attacks (see Use of Web 2.0 technologies to control botnets (38) and ...' and in '8 References and Links', '38. Use of Web 2.0 technologies to control botnets. http://www.owasp.org/images/0/02/OWASP_Day_Belgium_2007-pdp.ppt ' and '84. The OWASP Guide to Building Secure Web Applications v2. http://www.owasp.org/index.php/Category:OWASP_Guide_Project '.

In "Security Check - I'm not really a “tech” type. Are there steps our computer people can take to protect our system from common hack attacks?", "Yes. There are relatively simple fixes to protect your computers from some of the most common vulnerabilities.... Bookmark the websites of groups like the Open Web Application Security Project, www.owasp.org, or ..." and in "Additional Resources - These websites and publications have more information on securing sensitive data:", "The Open Web Application Security Project www.owasp.org".

In "Chapter 4: Coding Practices", "Several secure coding practices processes are available in the marketplace (e.g., OWASP Secure Coding Practices Guide, ...", in "Chapter 8: Post Implementation Phase Controls", "All of these controls today are based on either OWASP Top 10 or SANS Top 25 Application Programming Errors." and four places in "Appendix A - Education & Training".

In "3.2 SQL Injection", "The OWASP Foundation has produced two tools that can be used to learn about and analyse attacks. The WebGoat application has been developed to demonstrate web application security errors, including SQL injection, and educate developers in how to avoid them. A web proxy, such as OWASP’s WebScarab, is needed to complete some of the WebGoat activities. Such a proxy is used to intercept communications between the browser and application, providing a means of changing the data in each message. Where appropriate examples have been taken (with permission) from the WebGoat application and WebScarab proxy output.", extensive use of screen captures from WebGoat and WebScarab, in "6.4 Education", "The key contributors in SQL injection protection are usually the application and web developers and system administrators... There are free resources on the Internet to encourage a better awareness of SQL injection techniques and guides on how to avoid it. Two examples of such free resources are OWASP Foundation’s WebGoat and ...", in "7 Acknowledgements", "Thanks to the OWASP Foundation’s WebGoat Project and WebScarab Project for their permission to use examples from these tools in this paper. They are published under the Creative Commons Licence" and in "8 References", "[i] OWASP WebGoat Project, OWASP Foundation, 15 January 2009, http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project [j] OWASP WebScarab Project, OWASP Foundation, 17 November 2008, http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project".

GovCertUK is the UK Government Emergency Response Team and is part of CESG.

In "9 Software Engineering Process", "Life cycle processes and more localized methods, practices, and techniques have been developed to aid with software security concerns. Published life cycle processes (or increments from life cycle processes that are not security-oriented) include ones from Microsoft [How06] and at OWASP (www.owasp.org)." and in "15 Appendix A: Further Reading", "[OWASP] Open Web Application Security Project www.owasp.org (website).".

In "Resources for Procurement, Acquisition and Outsourcing", "Open web Application Security project (OWASP) Contract Annex - The OWASP provides a sample contract Annex that can be used as a framework for discussing expectations and negotiating responsibilities between acquirers (clients) and developers. The contract Annex is intended to help software developers and their clients negotiate and capture important contractual terms and conditions related to the security of the software to be developed or delivered. The language in the Annex may be used whole, in part, or as tailored to communication requirements in a work statement or stated as terms and conditions. The Annex can be obtained from: http://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex" and "Application Security Procurement Language - Application Security Procurement Language ... These guidelines incorporate substantial language from the OWASP Secure Software Contract Annex. These help enable buyers of custom software to more explicitly make code writers responsible for checking the code and for fixing security flaws before software is delivered."

In "Requirements Elicitation - Misuse/Abuse Cases", "The OWASP CLASP process recommends describing misuse cases as follows...". In "Requirements Elicitation - Threat Modeling", "The OWASP Review Guide at http://www.owasp.org/index.php/Application_Threat_Modeling outlines a methodology that can be used as a reference for the testing for potential security flaws.". In "Processes", "The Comprehensive, Lightweight Application Security Process (CLASP), sponsored by the Open Web Application Security Project (OWASP), is designed to help software development teams build security into the early stages of existing and new-start software development life cycles in a structured, repeatable, and measurable way..." and "CLASP Best Practice 3: Capture Security Requirements at http://www.owasp.org/index.php/Category:BP3_Capture_security_requirements.". In "Documenting Security Requirements", "The OWASP CLASP document recommends a resource-centric approach to deriving requirements" and "OWASP CLASP v1.2 at

In "Task 2. Performance of a risk assessment", "The initial draft list of vulnerability classes was developed using information from several existing documents and Web sites, .... the Open Web Application Security Project (OWASP) vulnerabilities list." and in "8 List of Acronyms", "OWASP Open Web Application Security Project".

in "Task 2. Performance of a risk assessment - Vulnerability classes", "The initial list of vulnerability classes was developed using information from several existing documents and Web sites, e.g., ... the Open Web Application Security Project (OWASP) vulnerabilities list.".

In "Chapter 6 Vulnerability Classes - 6.1 Introudction", "... while it was created from many sources of vulnerability information, including... Open Web Application Security Project (OWASP) vulnerabilities", in ""Chapter 6 Vulnerability Classes - 6.3 Platform Software/Firmware Vulnerabilities", "The Common Weakness Enumeration ... and the Vulnerability Categories defined by OWASP ...are two taxonomies which provide descriptions of common errors or oversights that can result in vulnerability instances. Using the CWE and OWASP taxonomies as a guide this subsection describes classes and subclasses of vulnerabilities in platform software and firmware." and "The OWASP names are generally used with the exact or closest CWE-ID(s) match in parentheses", in "6.3.1.1 Code Quality Vulnerability (CWE-398)", "“Poor code quality,” states OWASP, “leads to unpredictable behavior. From a user’s perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.”", in "6.3.1.4 Cryptographic Vulnerability (CWE-310) - Examples", "Testing for SSL-TLS (OWASP-CM-001) (CWE-326)", in "6.3.1.5 Environmental Vulnerability (CWE-2)", "“This category,” states OWASP, “includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.”", in "6.3.1.12 Path Vulnerability (CWE-21)", "“This category [Path Vulnerability],” states OWASP, “is for tagging path issues that allow attackers to access files that are not intended to be accessed. Generally, this is due to dynamically construction of a file path using unvalidated user input.”", in "6.3.1.15 Sensitive Data Protection Vulnerability (CWE-199)", "OWASP describes the sensitive data protection vulnerability as follows..." and "Inappropriate protection of cryptographic keys http://www.owasp.org/index.php/Top_10_2007-Insecure_Cryptographic_Storage", in "6.3.1.23 4.2.1. API Abuse (CWE-227)", "OWASP describes the API abuse vulnerability as follows..." and in "6.6 References", "Open Web Application Security Project, April 2010, http://www.owasp.org/index.php/Category:Vulnerability" and "Open Web Application Security Project, " Testing for business logic (OWASP-BL-001)",August 2010, http://www.owasp.org/index.php/Testing_for_business_logic_%28OWASP-BL-001%29".

"... One well-respected industry source is the Open Web Application Security Project (OWASP), an open community dedicated to application security. OWASP's extensive library and collection of tools is freely available at http://www.owasp.org. A great place to start is the OWASP Top Ten Project (http://www.owasp.org/index.php/OWASP_Top_Ten_Project). The OWASP document provides a list of critical web application security flaws and detailed suggestions for remediation. See inset box for a brief summary" and "... The Open Web Application Security Project (OWASP), an open community dedicated to application security, has developed a list of the top ten web application vulnerabilities. This list serves to educate managers, developers, and administrators to these most common vulnerabilities in the hopes of improving security. The list is summarized below...".

In "What can an Application Programmer do?", "A well-respected source of information on web application security, to include SQL injection issues, is the Open Web Application Security Project (OWASP). At a minimum, implement the following OWASP recommendations: ..." and in "Detecting SQL Injection Vulnerabilities and Attacks", "... Information on how to go about testing for SQL injection vulnerabilities can be found on the OWASP website at http://www.owasp.org/index.php/Testing_for_SQL_Injection.".

This is one of a series of fact sheets from the NSA - see also SOA/Web Services below.

In "Requirement 6: Develop and maintain secure systems and applications - 6.3.7 Review of custom code..." mention in "6.3.7b ...Code reviews ensure code is developed according to secure coding guidelines such as the Open Web Security Project Guide...". And "6.5 Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes, to include the following: Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current in the OWASP guide when PCI DSS v1.2 was published. However, if and when the OWASP guide is updated, the current version must be used for these requirements.", specifically "6.5.a Obtain and review software development processes for any web-based applications. Verify that processes require training in secure coding techniques for developers, and are based on guidance such as the OWASP guide (http://www.owasp.org)." and the OWASP Top Ten 2007 listed as "6.5.1 Cross-site scripting (XSS), 6.5.2 Injection flaws, particularly SQL injection. Also consider LDAP and Xpath injection flaws as well as other injection flaws, 6.5.3 Malicious file execution, 6.5.4 Insecure direct object references, 6.5.5 Cross-site request forgery (CSRF), 6.5.6 Information leakage and improper error handling, 6.5.7 Broken authentication and session management, 6.5.8 Insecure cryptographic storage, 6.5.9 Insecure communications, 6.5.10 Failure to restrict URL access".

In "Requirement 6: Develop and maintain secure systems and applications - 6.5", "Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes, to include the following: ... The vulnerabilities listed at 6.5.1 through 6.5.9 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements."

In "Overview" and "Section 2a) Security-focused Stories and Associated Security Tasks", "In addition, the CWE/SANS Top 25 Most Dangerous Development Errors list (plus the 16 weaknesses on the cusp list) and the OWASP Top 10 list were consulted for this section to ensure completeness of coverage.", in "Security-focused story 20", "Utilize common frameworks or libraries (such as OWASP ESAPI) that provide a secure database query functionality, as defined below., in "Security-focused story 28", "Follow best practices (e.g., OWASP Session Management Cheat Sheet) to prevent session management attacks." and "or more complete explanation of issues and test cases, please refer, e.g., to OWASP’s Testing Project, Authentication Cheat Sheet and Session Management Cheat Sheet.", in "Glossary", "OWASP: Open Web Application Security Project is a free, open-to-all community with local chapters worldwide aiming to improve the security of web applications." and in "References", "OWASP Top 10".

In "Recommendation 2.6: Implement security based on transparent, trusted and proven solutions", "...Best practice information system development and management processes such as: ... Open Web Application Security Project (OWASP)—an open-source project dedicated to finding and fighting the causes of insecure software. The OWASP Guide provides methodology and processes for..." and in the checklist "Trusted and proven information system development processes such as ITIL, OWASP and CIS (see page 44 for a definition)—are used or considered when developing information systems".

In "Goal to prevent cyber attacks from occurring", "At the national level, implement regulations which require 1. any organisation hosting a commercial web site (as opposed to a web page) to adhere to web application security standards, such as those by OWASP..."

In the section "Industry Review" of "Summary of Investigation", OWASP mentioned in paragraph 344 "we learned that an organization known as the Open Web Application Security Project (OWASP) promotes the development of secure applications and has created several guidelines addressing issues of session management... OWASP recommends to website creators that sessions should timeout after 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications. Although OWASP has not provided actual definitions for high-, medium-, or low-value data, it does cite ... as examples of high-value data and ... as examples of low-value data." and in paragraph 345 "...our Office's review of how various websites manage sessions indicates that the OWASP guidelines are not widely used in the industry..."

Project Requirements

International, national governmental and other significant specification, invitation to tender (ITT) and request for proposal (RFP) documents.